[Snort-users] Not feeling the LOVE

Erek Adams erek at ...577...
Mon Mar 4 11:20:23 EST 2002


On Mon, 4 Mar 2002, Ben Keepper wrote:

> I have posted several times all over webdom and have not recieved a
> single reply to this question:
>
> "I posted this to the snort users list. No replies. I don't think it is
> a stupid question and it is not covered in the documentation.
> I am getting a lot of spp_unidecode (mostly CGI null byte attack)false
> postives originating from my firewall NAT address going ONLY to specific
> web sites (ingrammicro and compaq to be specific).
> How can I eliminate these false positives. Obviously normal rule
> modifications won't work because this is a preprocessor.
> ANY help would be appreciated."
>
> If everybody is ignoring because this is covered in the documentation,
> please be helpful and point me to spot.

Nope, that's not it.  I just really don't have a good answer for you since
I've never seen this.

> I can't believe I am the only having this issue.

Well...  You could be.  Many devices have really funky TCP/IP stacks.  If your
device has something odd and/or isn't fully configed then it could cause this.
Since it's just those two sites, I'd bet they are behind some sort of load
balancer device.  Perhaps the same one at both places....

> Once again, any help (or thoughts would be appreciated),

Well, my suggestion would be to read the .conf file.  :)  In there I find the
following sections:

# http_decode: normalize HTTP requests
# ------------------------------------
[...snip...]
# You may also specify -unicode to turn off detection of
# UNICODE directory traversal, etc attacks.  Use -cginull to
# turn off detection of CGI NULL code attacks.

preprocessor http_decode: 80 -unicode -cginull


# unidecode: normalize HTTP/detect UNICODE attacks
# ------------------------------------------------
# Works much the same as http_decode, but does a better
# job of categorizing and identifying UNICODE attacks,
# recommended as a potential replacement for http_decode.

# preprocessor unidecode: 80 -unicode -cginull



More information about the Snort-users mailing list